From 97858821f042b651066263f1b2bde4cc33c40437 Mon Sep 17 00:00:00 2001
From: "Chris St. Pierre" <chris.a.st.pierre@gmail.com>
Date: Mon, 17 Sep 2012 17:07:23 -0400
Subject: fleshed out selinux policy

---
 redhat/selinux/bcfg2.fc |  7 ++++++-
 redhat/selinux/bcfg2.te | 45 ++++++++++++++++++++++++++++++++++++++++++---
 2 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/redhat/selinux/bcfg2.fc b/redhat/selinux/bcfg2.fc
index 3b551b4a3..c6f230c18 100644
--- a/redhat/selinux/bcfg2.fc
+++ b/redhat/selinux/bcfg2.fc
@@ -1,12 +1,17 @@
 /etc/rc\.d/init\.d/bcfg2-server --   gen_context(system_u:object_r:bcfg2_server_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/bcfg2        --   gen_context(system_u:object_r:bcfg2_initrc_exec_t,s0)
 
-/usr/sbin/bcfg2-server          --   gen_context(system_u:object_r:bcfg2_server_exec_t,s0)
 /usr/sbin/bcfg2                 --   gen_context(system_u:object_r:bcfg2_exec_t,s0)
+/usr/sbin/bcfg2-server          --   gen_context(system_u:object_r:bcfg2_server_exec_t,s0)
+/usr/sbin/bcfg2-yum-helper      --   gen_context(system_u:object_r:bcfg2_yum_helper_exec_t,s0)
 /usr/lib/bcfg2/bcfg2-cron       --   gen_context(system_u:object_r:bcfg2_exec_t,s0)
 
 /var/lib/bcfg2(/.*)?                 gen_context(system_u:object_r:bcfg2_var_lib_t,s0)
 
+/var/lib/bcfg2/Trigger/.*       --   gen_context(system_u:object_r:bcfg2_server_script_exec_t,s0)
+/var/lib/bcfg2/PuppetENC/.*     --   gen_context(system_u:object_r:bcfg2_server_script_exec_t,s0)
+/var/lib/bcfg2/Cfg/.*/:test     --   gen_context(system_u:object_r:bcfg2_server_script_exec_t,s0)
+
 /var/run/bcfg2-server\.pid      --   gen_context(system_u:object_r:bcfg2_var_run_t,s0)
 
 /var/lock/bcfg2\.run            --   gen_context(system_u:object_r:bcfg2_lock_t,s0)
diff --git a/redhat/selinux/bcfg2.te b/redhat/selinux/bcfg2.te
index 3b4fb4e2d..3ab15c380 100644
--- a/redhat/selinux/bcfg2.te
+++ b/redhat/selinux/bcfg2.te
@@ -5,6 +5,8 @@ policy_module(bcfg2, 1.1.0)
 # Declarations
 #
 
+gen_tunable(bcfg2_server_exec_scripts, true)
+
 type bcfg2_t;
 type bcfg2_exec_t;
 init_daemon_domain(bcfg2_t, bcfg2_exec_t)
@@ -22,6 +24,14 @@ init_script_file(bcfg2_server_initrc_exec_t)
 type bcfg2_var_lib_t;
 files_type(bcfg2_var_lib_t)
 
+type bcfg2_server_script_t;
+type bcfg2_server_script_exec_t;
+application_domain(bcfg2_server_script_t, bcfg2_server_script_exec_t)
+role system_r types bcfg2_server_script_t;
+
+type bcfg2_yum_helper_exec_t;
+application_domain(bcfg2_server_t, bcfg2_server_script_exec_t)
+
 type bcfg2_var_run_t;
 files_pid_file(bcfg2_var_run_t)
 
@@ -39,12 +49,13 @@ files_config_file(bcfg2_conf_t)
 allow bcfg2_server_t self:fifo_file rw_fifo_file_perms;
 allow bcfg2_server_t self:tcp_socket create_stream_socket_perms;
 allow bcfg2_server_t self:unix_stream_socket { connectto create_stream_socket_perms };
-allow bcfg2_server_t self:process setrlimit;
-allow bcfg2_server_t self:capability { setgid setuid };
+allow bcfg2_server_t self:process { setrlimit setsched };
+allow bcfg2_server_t self:capability { setgid setuid sys_nice };
 
 manage_dirs_pattern(bcfg2_server_t, bcfg2_var_lib_t, bcfg2_var_lib_t)
 manage_files_pattern(bcfg2_server_t, bcfg2_var_lib_t, bcfg2_var_lib_t)
 files_var_lib_filetrans(bcfg2_server_t, bcfg2_var_lib_t, dir )
+manage_files_pattern(bcfg2_server_t, bcfg2_server_script_t, bcfg2_server_script_t)
 
 manage_files_pattern(bcfg2_server_t, bcfg2_var_run_t, bcfg2_var_run_t)
 files_pid_filetrans(bcfg2_server_t, bcfg2_var_run_t, file )
@@ -77,8 +88,37 @@ auth_use_nsswitch(bcfg2_server_t)
 
 libs_exec_ldconfig(bcfg2_server_t)
 
+# let bcfg2-server run bcfg2-yum-helper in the exact same context
+can_exec(bcfg2_server_t, bcfg2_yum_helper_exec_t)
+
 # port 6789 was somehow already claimed by cyphesis, whatever that is
 corenet_tcp_bind_cyphesis_port(bcfg2_server_t)
+corenet_tcp_connect_http_port(bcfg2_server_t)
+corenet_tcp_sendrecv_http_port(bcfg2_server_t)
+
+optional_policy(`
+        corenet_tcp_connect_postgresql_port(bcfg2_server_t)
+        corenet_sendrecv_postgresql_client_packets(bcfg2_server_t)
+
+        postgresql_stream_connect(bcfg2_server_t)
+')
+
+optional_policy(`
+        corenet_tcp_connect_mysqld_port(bcfg2_server_t)
+        corenet_sendrecv_mysqld_client_packets(bcfg2_server_t)
+
+        mysql_search_db(bcfg2_server_t)
+        mysql_stream_connect(bcfg2_server_t)
+')
+
+optional_policy(`
+                unconfined_domain(bcfg2_server_script_t)
+')
+
+tunable_policy(`bcfg2_server_exec_scripts', `
+        domtrans_pattern(bcfg2_server_t, bcfg2_server_script_exec_t, bcfg2_server_script_t)
+        can_exec(bcfg2_server_t, bcfg2_server_script_t)
+')
 
 ########################################
 #
@@ -157,7 +197,6 @@ auth_use_nsswitch(bcfg2_t)
 
 seutil_domtrans_setfiles(bcfg2_t)
 seutil_domtrans_semanage(bcfg2_t)
-seutil_run_semanage(bcfg2_t)
 
 sysnet_dns_name_resolve(bcfg2_t)
 sysnet_run_ifconfig(bcfg2_t, system_r)
-- 
cgit v1.2.3-1-g7c22